DEV541: Secure Coding in Java/JEE: Developing Defensible Applications

DEV541 will help change the way the developers in my organization code. We have not placed a high amount of emphasis on secure coding before.

Brett Hanson, Agrium

This secure coding course will teach students how to build secure Java applications and gain the knowledge and skills to keep a website from getting hacked, counter a wide range of application attacks, prevent critical security vulnerabilities that can lead to data loss, and understand the mindset of attackers.

The course teaches you the art of modern web defense for Java applications by focusing on foundational defensive techniques, cutting-edge protection, and Java EE security features you can use in your applications as soon as you return to work. This includes learning how to:

Identify security defects in your code

Fix security bugs using secure coding techniques

Utilize secure HTTP headers to prevent attacks

Secure your sensitive representational state transfer (REST) services

Incorporate security into your development process

Use freely available security tools to test your applications

Great developers have traditionally distinguished themselves by the elegance, effectiveness and reliability of their code. That is still true, but the security of the code now needs to be added to those other qualities. This unique SANS course allows you to hone the skills and knowledge required to prevent your applications from getting hacked.

DEV541: Secure Coding in Java/JEE: Developing Defensible Applications is a comprehensive course covering a wide set of skills and knowledge. It is not a high-level theory course - it is about real-world, hands-on programming. You will examine actual code, work with real tools, build applications and gain confidence in the resources you need to improve the security of Java applications.

Rather than teaching students to use a given set of tools, the course covers concepts of secure programming. This involves looking at a specific piece of code, identifying a security flaw and implementing a fix for flaws found on the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.

The course culminates in a Secure Development Challenge in which students perform a security review of a real-world open-source application. You will conduct a code review, perform security testing to actually exploit real vulnerabilities, and implement fixes for these issues using the secure coding techniques that you have learned in course.

PCI Compliance

Section 6.5 of the Payment Card Industry (PCI) Data Security Standard (DSS) instructs auditors to verify processes that require training in secure coding techniques for developers. If you are responsible for developing applications that process cardholder data and are therefore required to be PCI compliant then this is the course for you.

Course Topics

Common Web Application Vulnerabilities

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

SQL injection

HTTP response splitting

Parameter manipulation

Data Validation

Input validation

Whitelisting vs. blacklisting

Output encoding and escaping

Parameterized queries

Using frameworks and APIs

Authentication

How to use encryption and certificates

Protecting session IDs

JEE-based authentication

Basic and form-based authentication

Client certificate authentication

Session Management

Session hijacking

Session fixation

Access Control

Java Enterprise Edition (JEE)-based authorization

Declarative and programmatic access control

Using annotations

Java Security Manager

Encryption

Java Secure Socket Extension (JSSE)

Java Cryptography Architecture (JCA)

Client certificates

Secure sockets layer (SSL)

Java Programming and Language

Race conditions

Logging and error handling

Class security

You Will Learn To:

Keep your website from getting hacked

Counter a wide range of application attacks

Prevent critical security vulnerabilities that can lead to data loss

Understand the attacker's mindset and how your applications can be hacked

Course Syllabus

DEV541.1: Data Validation

Overview

Improper data validation is the root cause of the most prevalent web application vulnerabilities today. On this first course day students will learn about some of the most prevalent web application vulnerabilities, including cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, HTTP response splitting and parameter manipulation. You will see how to find these issues and re-create them in a running application. Then you will use a variety of methods to actually fix the vulnerabilities in your Java code.

The course is full of hands-on exercises where you can apply practical data validation techniques to prevent common attacks with defense, ranging from input validation, output encoding and use of new techniques like Content Security Policy.

CPE/CMU Credits: 6

Topics

Web Application Attacks

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

SQL Injection

HTTP Response Splitting

Parameter Manipulation

Directory Traversal

Web Application Proxies

Validation Concerns

Character Encoding

Input Validation

Output Encoding

Blacklisting and Whitelisting

Validation Techniques

Regular Expressions

Servlet Filters

Output Encoding

Content Security Policy

Prepared Statements

CSRF Defense

DEV541.2: Authentication and Session Management

Overview

Broken authentication and session management are common issues that can compromise the integrity of your system. Weak authentication protection can allow an attacker to expose your most sensitive secrets: your data! In this session students will learn about these vulnerabilities and what you can do to design and code stronger authentication protections from the start. You will learn how to use Java Enterprise Edition (EE) container-based authentication and set up basic, form-based and client certificate authentication.

You will also learn how to protect data in transit using SSL, and how to securely store passwords at rest. Various authorization attacks will be discussed, as well as unvalidated forwards and redirects. Session management attacks and defenses will also be covered along with Clickjacking and associated defenses.

CPE/CMU Credits: 6

Topics

Authentication Factors

Authentication Attacks

Java EE authentication

Basic Authentication

Form-based Authentication

Client Certificates

Using SSL

Secure Password Storage

Authorization

Web and Enterprise JavaBean Access Control

Authorization Attacks

Access Control Bypass

Unvalidated Forwards and Redirects

State Management Attacks

Session Hijacking

Session Fixation

Clickjacking

Using X-Frame-Options

DEV541.3: Java Platform and API Security

Overview

Java is the language of choice for the development of many mission-critical applications. As such, it is vital to understand the security features and implications of using the Java language itself and the Java runtime environment (JRE). Through numerous hands-on exercises you will learn about Java Security Manager, how code privileges are managed, and how to sign jar files. You will also learn about exception handling and the importance of logging. With hands-on exercises you will write code to encrypt data both in transit and at rest using the Java Secure Socket Extension and the Java Cryptography Architecture, as well as integer and double overflows, and about numerous Java language features that you should consider while writing secure code.

Organizations continue to expose critical representational state transfer (REST)-based web services that can be consumed by Ajax and mobile applications. You will learn how vulnerabilities like Cross-Site Request Forgery (CSRF) can be used by attackers to hack your JSON services. You will also learn how to develop applications that are resistant to such attacks and about the OAuth protocol for authentication and authorization.

CPE/CMU Credits: 6

Topics

Java Security Manager

Permissions

Policy File

Jar Signing

Class Security

Error Handling

Exceptions

Using Try/Catch/Finally

Logging

Logging Frameworks

ESAPI Logging

Encryption

Java Secure Sockets Extension (JSSE)

Java Cryptography Architecture (JCA)

Integer and Double Overflows

Thread Safety

Race Conditions

Web Service (JAX-RS) Security

REST Security

OAuth

DEV541.4: Secure Development Lifecycle

Overview

Using what you have learned about web application vulnerabilities, in this session you will conduct a security review of a real-world open-source application. You will see first hand how to integrate security in your software development life cycle (SDLC) by first conducting a code review of a large, widely used open-source application. Once you have identified various vulnerabilities in the code itself you will perform security testing and actually exploit these weaknesses. Once they have been exploited, you will fix the weaknesses using the secure coding techniques learned in class.

The Secure Development Challenge introduces you to what is needed in a Secure SDLC and shows you how to do it first hand!

CPE/CMU Credits: 6

Topics

Security and the SDLC

Conducting a Secure Code Review

Manual Code Review

Using a Static Analysis Tool

Using FindBugs

Integrating Code Review into the SDLC

Security Testing

Exploiting XSS, CSRF, and SQL Injection

Secure Coding

Fixing Weaknesses in a Running Application

Additional Information

Laptop Required

LAPTOP REQUIRED! IMPORTANT - YOU MUST BRING YOUR OWN LAPTOP!

System Requirements

To get the most value out of the course, students are required to bring their own laptop so that they can run the virtual machine containing all the code and labs that will be used in class. Your laptop must meet the following requirements:

Laptop with administrative level access

25 GB available hard drive space

4 GB RAM minimum with 8GB or higher recommended

Working USB port required (USB 3.0 port recommended)

x86 compatible 2Ghz CPU minimum or higher

VMWare

Students will use VMware to perform exercises in class. You must have a working copy of one of the following programs installed on your system prior to coming to class:

VMware Workstation Player 7.0 or later

VMware Workstation 11.0 or later

VMware Fusion 7.0 or later for Mac OS X

VMware Workstation Player can be downloaded for free. Alternatively, if you want a more configurable and flexible tool, you can download a free 30-day trial copy of VMware Workstation or VMware Fusion. These products are available at www.vmware.com. VMware will send you a time-limited serial number for VMware Workstation or VMware Fusion if you register for the trial on its website. No serial number is required for VMware Workstation Player.

We will give you a USB containing a VMWare image with a self-contained development environment (Eclipse, Tomcat, etc.) that you will use in class and can keep for further study once the course is finished.

The class does not support VirtualPC or other non-VMware virtualization products.

Java Documentation

It is recommended that students download the Java SE 7 and Java EE 7 Javadoc documentation for use as reference material while doing the in-class exercises (the Javadoc license prohibits redistribution). The documentation can be found at java.oracle.com.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Developers who want to build more secure applications

Java Enterprise Edition (JEE) programmers

Software engineers

Software architects

Developers who need to be trained in secure coding techniques to meet PCI compliance

While the course is focused specifically on software development, it is accessible enough for anyone comfortable working with code who has an interest in understanding the developer's perspective, including:

Application security auditors

Technical project managers

Senior software QA specialists

Penetration testers who want a deeper understanding of target applications or who want to provide more detailed vulnerability remediation options

Prerequisites

Students should have at least one year of experience working with the Java Enterprise Edition platform and should have thorough knowledge of Java language and web technology.

Press & Reviews

"This course provided a great review in Java development practices to ensure secure and defensible applications." - John Davis, Lockheed Martin Corporation

"Actually coding the examples from a 'find the weakness' and 'fix it' standpoint, as you do in DEV541, is a big help." - Andrew Whitehead, Federal Reserve Bank, Richmond

"DEV541 will help change the way the developers in my organization code. We have not placed a high amount of emphasis on secure coding before." - Brett Hanson, Agrium

"The course gave me a whole new perspective about security." - Mohammed Ahmed, ACT

Author Statement

After having taught application security to hundreds of developers, I have learned what works in teaching this important subject. Developers need to be intellectually challenged with exercises, and they need a variety of solutions they can apply to a single problem in different scenarios. By giving our students concrete examples of applications they can take back with them to their workplaces, we are arming attendees of this course with strong techniques that can be applied to both current and future projects. By knowing how various web application attacks work, and how common programming errors are made and how to prevent them, developers will have the tools necessary to prevent a large number of application attacks. Take part in this groundbreaking class and arm yourself with the knowledge to protect your Java applications! - Frank Kim

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.